zFP-ADOBE

You see a 'zFP-ADOBE' suspicious behavior alert in your console, against the computer that is the Sophos management server.

This special alert does not indicate a threat on your computer. It does indicate that you may have software problems that need fixing urgently.

We issued this alert to ensure that you are aware that some non-Sophos products on your network were affected by the recent Sophos false positive issue. Unless you have already fixed these products, they could be out of date and could make you subject to future vulnerabilities. We chose a suspicious behavior alert to show that this issue is a high priority.

An example of the alert is shown below.

Additionally, in the computer details of your management server, you may also see one or more 'zFP-' suspicious behavior alerts that includes non-Sophos (third-party) application names.

First seen in

Sophos Endpoint Security and Control

Cause

We have provided this alert because you may have third-party applications, installed on Windows endpoint computers, which are not functioning correctly due to the recent Shh/Updater-B false positive.

If you see this alert the following must be true:

Your Anti-Virus policy was set to either 'move' or 'delete' files that the on-access scanner detected as malicious during the false positive issue.

One or more computers have reported to the console that the local Anti-Virus has moved or deleted files associated with a third-party application.

You have not purged (removed/deleted) console alerts regarding the move or delete action.

The computer reporting the move or delete action is running a Windows operating system.

Note: Even if you have fixed some applications already, there may be others you do not know about.

Right-click on this link: fpdf.bat, select 'save link' or 'save target' to the Desktop of your server.

Open a command prompt (Start | Run | Type: cmd.exe | Press return) and change directory (cd) to the Desktop of the server.

Type the command below to run the batch file and create an output text file:

fpdf.bat > FpActionedFiles.txt

Once the command completes you will see a new text file on the Desktop of the server called FpActionedFiles.txt

Open FpActionFiles.txt to see the files that were moved or deleted on each affected managed computer.

If you do not see a list of computers, you may have run the file on the wrong computer. Use article 113030 to confirm the server that has SQL installed and hosts the Sophos core database.

You will now have a text file called FpActionFiles.txt that list workstation computers. You can use this list in sections 2 and, if required, section 3.

2. Fix applications where files were moved

To fix non-Sophos applications on endpoint computers follow steps one to three below.

The steps are designed to be repeated locally on each endpoint computer mentioned in the FpActionFiles.txt file. Therefore you may want to copy the tool and instructions onto a USB pen (or similar device) that you can then use when visiting each workstation. If there are a large number of affected computer you should see the links to further articles on how to deploy the tool across a network.

Note: You should run the tool with administrative rights.

Right-click on this link: FixIssues.exe, select 'save link' or 'save target' to the Desktop of the endpoint computer.

Double-click the tool to run it.

Check that the applications are now working. If there are problems you should check the log files of the FixIssues tool. They are saved in the local temporary folder of the user running the tool. To access locate the logs files:

What do to if third-party applications are still broken

If you discover that some third-party applications are still not functioning correctly, and you have followed the instructions above, then the alerts were most likely not listed in the database. Hence the computers listed in the FpActionFiles.txt file was not a full list of all affected computers.

In this situation we recommend you run the FixIssues.exe tool on all your endpoint computers. See the list of different methods of deployment in the section above.

3. Fix Adobe applications where files were deleted

You only need to follow this section if your anti-virus cleanup settings deleted files. If you have not already done so, watch the video in the 'Need to check your Anti-Virus settings?' section if in doubt.

If your anti-virus settings did delete files: Use the links below for instructions on recovering each application identified.

Note: If you have already used the FixIssues tool from Sophos, you have restored any files that were moved. You only need to follow these instructions if your anti-virus cleanup settings deleted files.

Application

Adobe Photoshop CS6 (Trial)

Vendor

Adobe

Impact

The following files are affected:

%Program Files%\Adobe\Adobe Photoshop CS6\updaternotifications.dll

%Program Files%\Adobe\Adobe Bridge CS6\updaternotifications.dll

%Program Files%\Common Files\Adobe\OOBE\PDApp\UWA\UWANative.dll

The application appears to work correctly, though the update option from the Help menu is greyed out (this is the trial version). We do not know what will happen if it is clicked.

Resolution

Unfortunately there is no repair option for the MSI, when it is invoked from the command line an error, implying the product is not installed, is displayed.

The only solution was to re-install using the install set. This appears to be a clean re-install.

Verified

Verified for this version:

Apple Software Updater 2.1.3.127

Running on these operating system:

Windows XP Professional SP3

Windows 7 Professional SP1

Windows 7 Enterprise SP1 (64 bit)

Application

Adobe Photoshop CS6 + Adobe Application Manager

Vendor

Adobe

Impact

The following files are affected:

%Program Files%\Common Files\Adobe\OOBE\PDApp\UWA\UWANative.dll

The application appears to work correctly.

If you click the Update option from the PhotoShop Help menu, the application detects that the update functionality is broken and offers to repair it.

Resolution

Select Help->Update. When prompted, download and install a new version of Adobe Application Manager. The missing file is restored.

If you click the Update option from the Illustrator Help menu, the application detects that the update functionality is broken and offers to repair it.

Resolution

Select Help->Update. When prompted, download and install a new version of Adobe Application Manager. The missing file is restored.

Add/Remove Programs does not offer a repair option.

Verified

Verified for this version:

Adobe Illustrator CS6, version 16.0.0 64bit

Running on this operating system:

Windows 7 (64 bit)

Application

Adobe Presenter 7 (Trial version)

Vendor

Adobe

Impact

The following files are affected:

%Program Files%\Common Files\Adobe\Updater6\AdobeUpdater.ar_AE

%Program Files%\Common Files\Adobe\Updater6\AdobeUpdater.*

%Program Files%\Common Files\Adobe\Updater6\Adobe_Updater.exe

%Program Files%\Adobe\Presenter 7\JVM\bin\jusched.exe

%Program Files%\Adobe\Presenter 7\JVM\bin\jucheck.exe

%Program Files%\Adobe\Presenter 7\AdobeUpdater.dll

The application continues to function without warning of the missing/affected files.

Some removed components may be associated with Adobe Flash Player ActiveX, installed alongside this application.

The removal of the AdobeUpdater may also affect the Adobe Application Manager enterprise (which is used for deploying adobe applications on the network) which further probably affects all the other managed updates).

Resolution

Select the “Change/Remove” button next to “Adobe Presenter 7” in Add/Remove Programs. Then select the “Repair” option. All missing files will be replaced.

Application driven recovery TBC.

Application

Adobe Reader 10.1.4

Vendor

Adobe

Impact

The following files are affected:

%Program Files%\Adobe\Reader 10.0\Reader\plug_ins\Updater.api

%Program Files%\Common Files\Adobe\ARM\1.0\armsvc.exe

%Program Files%\Common Files\Adobe\ARM\1.0\ReaderUpdater.exe

%Program Files%\Common Files\Adobe\ARM\1.0\AcrobatUpdater.exe

The application appears to function correctly. Selecting the “Check For Updates” option from the “Help” menu item does not result in any alert of missing files.

Resolution

Select the “Repair Adobe Reader Installation” option from the “Help” menu item. This will trigger the installer, which will require Adobe Reader to be manually shut down.